Embed Size (px)
Citation preview
Charles Herring
Consulting Security Architect
@charlesherring
Protecting the Crown Jewels
© 2014 Lancope, Inc. All rights reserved.
Outline
• What are Crown Jewels?
• Who is Attacking?
• Where to Look?
• How to Look?
• “By Data” Grouping
• Data Anomaly Alarms
• Map/Relationship Policy
• User Defined Criteria
• Demo
2
© 2014 Lancope, Inc. All rights reserved.
Crown Jewels
• Card holder data (PCI)
• Patient records (HIPAA)
• Trade secrets
• Competitive information (M&A)
• Employee data (PII)
• State Secrets
Data that is valuable to attackers
3
© 2014 Lancope, Inc. All rights reserved.
Why do attackers care?
Attacker Jewel Motivation
Criminals PCI Data $4-$12/card
Criminals Patient Records $30-$50/record
Activists Anything Shaming
State Sponsored Trade Secrets Geopolitical
State Sponsored Patient Records ?!?!!!!
© 2014 Lancope, Inc. All rights reserved.
WAN DATACENTER
ACCESS
CORE3560-X
Atlanta
New York
San Jose
3850 Stack(s)
Cat4k
ASAInternet
Cat6k
VPC Servers
3925 ISR
ASR-1000
Nexus 7000 UCS with Nexus 1000v
© 2014 Lancope, Inc. All rights reserved.
Where to Look?North, South, EAST AND WEST = Every Communication
Signature
Anomaly Behavior
Advanced Detection Methods
Signature = Object against blacklist• IPS, Antivirus, Content Filter
Behavior = Inspect Victim behavior against blacklist• Malware Sandbox, NBAD, HIPS, SEIM
Anomaly = Inspect Victim behavior against whitelist• NBAD, Quantity/Metric based—not Signature
based
Signature Behavior Anomaly
Known Exploits BEST Good Limited
0-day Exploits LimIted BEST Good
Credential Abuse Limited Limited BEST
The New Security Model
© 2014 Lancope, Inc. All rights reserved.
BEFOREDiscoverEnforce Harden
AFTERScope
ContainRemediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect Block
Defend
DURING
Point in Time Continuous
© 2014 Lancope, Inc. All rights reserved.
By Data Grouping
• Find your data
• “Pull the thread” with Top Peers/Flow Tables
• Host Group Policies with lower tolerance
Find your jewels
8
© 2014 Lancope, Inc. All rights reserved.
Data Anomaly Alarms
• Suspect Data Hoarding
• Target Data Hoarding
• Total Traffic
• Suspect Data Loss
Counting Access
9
© 2014 Lancope, Inc. All rights reserved.
Map the Segmentation
• Logical vs. Physical
• Map Segmentation
Watch the logical roadways
1
© 2014 Lancope, Inc. All rights reserved.
Custom Events
• Evolution of HLV
• Alert when Segmentation fails
• Allows for NOR logic
Alert on Zero Tolerance
1
© 2014 Lancope, Inc. All rights reserved.
DEMO
![JEWELS [CATALOGUE]](https://img.pdfslide.us/doc/110x75/579053911a28ab900c8cc0ef/jewels-catalogue.jpg)
